Fixes the following security issues:
CVE-2017-12122: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted
ILBM image can cause a heap overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14440: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted
ILBM image can cause a stack overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14441: An exploitable code execution vulnerability exists in the
ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted
ICO image can cause an integer overflow, cascading to a heap overflow
resulting in code execution. An attacker can display a specially crafted
image to trigger this vulnerability.
CVE-2017-14442: An exploitable code execution vulnerability exists in the
BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted
BMP image can cause a stack overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14448: An exploitable code execution vulnerability exists in the
XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted
XCF image can cause a heap overflow resulting in code execution. An
attacker can display a specially crafted image to trigger this
vulnerability.
CVE-2017-14449: A double-Free vulnerability exists in the XCF image
rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
can cause a Double-Free situation to occur. An attacker can display a
specially crafted image to trigger this vulnerability.
CVE-2017-14450: A buffer overflow vulnerability exists in the GIF image
parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image
can lead to a buffer overflow on a global section. An attacker can display
an image to trigger this vulnerability.
For details, see the announcement:
https://discourse.libsdl.org/t/sdl-image-2-0-3-released/23958
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for zlib license is Zlib.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/zlib( )?(license)?/Zlib/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Thompson <peter.macleod.thompson@gmail.com>
[Thomas:
- remove all sub-options to select the various image formats. Between
no formats enabled and all formats enabled, the size difference of
the library is ~30 KB, so it really isn't worth having all those
sub-options:
-rwxr-xr-x 1 thomas thomas 22444 juil. 15 15:51 libSDL2_image-2.0.so.0.0.1
-rwxr-xr-x 1 thomas thomas 59216 juil. 15 15:52 libSDL2_image-2.0.so.0.0.1
consequently, we simply enable unconditionally all image formats
that don't have any dependency, and use "automatic" dependencies
for the 4 formats that require an external library
- remove the host package variant, as it isn't used anywhere.
- remove --with-sdl2-prefix and --with-sdl2-exec-prefix, and instead
add a dependency on host-pkgconf so that pkg-config is used
- remove --disable-static, this is handled by the autotools-package
infrastructure already
- point <pkg>_LICENSE_FILES to an existing file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
